It’s About (OAuth) Discovery
I’m happy to announce the publication of the OAuth Discovery 1.0 specification first draft. OAuth Discovery enables partial and full automation of the OAuth protocol by using a machine-readable OAuth configuration documents. What is even more exciting is that we already have two Service Provider implementations available for Nouncer and Ma.gnolia, upcoming support from Twitter, and are expecting a Consumer library and test server soon. As with any first draft, the specification is expected to change and feedback is highly appreciated.
During the OAuth Core development process, many people brought up the idea of using OAuth in a fully automated mode. Usually it came up after they have tried to incorporate OAuth into an existing tool, such as CURL, only to realize there are just too many OAuth parameters provided in manual documentation for a simple and usable interface. This is particularly true when considering the fact that in many cases, OAuth is replacing HTTP Basic Authentication which is a fully automated process (except for asking the users for their credentials).
Two weeks ago I implemented an initial concept for OAuth Discovery using existing discovery concepts from the OpenID and XRI worlds. I’ve presented it at IIW at the OAuth Extensions session and got some very positive feedback. The challenge of turning that initial implementation into a specification was that unlike OAuth Core, a discovery workflow is all about interoperability and must be accurate so that different implementations can work together flawlessly. OAuth Core leaves much out of scope, and it is both good and unavoidable.
The OAuth community motto has been from early on: “Don’t invent – reuse”. When applied to developing Core, we rejected proposals from both authors and contributors for features that were not well established in the wild. One such example is a proposal for a preferred language extension which allows a Consumer to indicate to the Service Provider the User’s preferred language during the authorization step. The language preference extension draft has been published this week by George Fletcher (AOL) and John Kemp (Nokia).
When the motto is applied to discovery, it means building a framework that can accommodate future extensions without trying to predict or define them. OAuth Discovery uses the XRDS format together with Yadis to deliver the OAuth configuration in a machine-readable format. It uses URIs to label features and services, and can be implemented for simple and complex scenarios.
To learn more about the proposal and to participate in the discussion, visit the OAuth Extension group.
